View Only
  • 1.  onstat -d for non-privileged users

    Posted Mon September 18, 2023 10:42 PM

    Hi Y'all.

    In my Perl package I have a function that runs onstat -d.  I originally wrote it while using IDS 11.5.  At the time, anyone could run onstat -d, just not with the "update" option.  That was fine by me.  Hence, anyone could check on the status of the dbspaces & chunks.  But now, under IDS 14.10, a non-informix user gets the message: onstat: Shared memory: permission denied.  This kinda kills the "anyone can do this" aspect of these monitoring utilities.

    I have tried:

    onmode -wm UNSECURE_ONSTAT=1

    (as user informix, of course) to get around that shm constraint but it tells me:

    Configuration Parameter to be changed is not valid or not supported with this option.


    Anyone have an idea how to unbummer this?  Will I have to enable UNSECURE_ONSTAT in the ONCONFIG file?  (As I continue writing this I suspect more and more that this is exactly what I will need to do.)

    Thanks for any alternatives.

    -- Jacob Salomon
    Nobody goes there anymore, it's too crowded.  --Attr: Yogi Berra

  • 2.  RE: onstat -d for non-privileged users

    IBM Champion
    Posted Tue September 19, 2023 03:29 AM

    Hi Jacob,

    UNSECURE_ONSTAT really only controls execution of certain onstat options, typically ones that display SQL text etc. - and, to become effective, onstat first had to succeed in attaching to shared memory, for reading the configuration from shmem.  (I agree, it's debatable whether it shouldn't be tunable.)

    That later part, apparently, is what's failing with you: shared memory segments carry permissions much like file system files - they're owned by an owner and a group, and can have access permissions anything between 000 and 777 (use ipcs to see, usage varying between platforms.)  Your "permission denied" error indicates lack of privilege for at least one of your server's shmem segments, for the user running the command.
    I'd not see what should have changed here since v11.50; afaik, segments always used to be owned by user informix (or root), group informix and allowing read-write access only for owner + group, with the exception of "communication segments" (for ipcshm protocol) which need to to also be read-writable for everyone.

    Maybe your user's setup changed?



    Andreas Legner

  • 3.  RE: onstat -d for non-privileged users

    IBM Champion
    Posted Tue September 19, 2023 06:29 AM


    It is not a permissions issue at all, there was no access denied to Jacob, it's just that the UNSECURE_ONSTAT cannot be modified on the fly.


    You can still query the sysmaster tables, so either recode your Perl report to go to the data or use my dbsavail utility if all you need are dbspace level stats:

    informix@Elezar-II:~$ dbsavail -f
    Sort by: Free KB.

    Dbspace              Number 2K Pages   2K Pages Free    Total KB        Free KB      
    ------------------   ---------------   -------------    ------------    ------------
    indexdbs_1                  373840               0          747680               0     (PgSz: 8K)
    indexdbs                     35000             876           70000            1752     (PgSz: 2K)
    plogspace                   815245            1627         1630490            3254     (PgSz: 2K)
    llogspace                   397220            2167          794440            4334     (PgSz: 2K)
    rubble                        5000            4894           10000            9788     (PgSz: 4K)
    cdrspace                     50000           16641          100000           33282     (PgSz: 2K)
    rootdbs                     150000           59920          300000          119840     (PgSz: 2K)
    flintstone                  100000           99947          200000          199894     (PgSz: 2K)
    datadbs_2                   897496          180486         1794992          360972     (PgSz: 2K)
    datadbs_1                 13670723          202405        27341446          404810     (PgSz: 2K)
    dbtempspc                   250000          233099          500000          466198 TSBs(PgSz: 2K)
    sbspace                     550000          422128         1100000          844256 SBsp(PgSz: 2K)
    tempdbs                    1017312         1017248         2034624         2034496 Temp(PgSz: 2K)
    dbs_16k                    9410728         9102704        18821456        18205408     (PgSz: 16K)
    ------------------   ---------------   -------------    ------------    ------------
    Totals:                   27722564        11344142        55445128        22688284

    informix@Elezar-II:~$ dbsavail -?
    Usage: dbsavail [-H server] [-f] [-p] [-u] [-R] [-F|P|S|N]
          dbsavail [-V|-h]
           -H - Connect to server.
           -p - print %free (Default: KB/MB/GB Free).
           -u - print KB/MB/GB Used or Percent Used instead of Total KB.
           -f - do not update blob chunk statistics (may be less accurate)
           -d - include chunk detail by dbspace.
           -F - sort the report by free size in KB/MB/GB (default).
           -P - sort the report by percent free.
           -S - sort the report by total size in KB/MB/GB.
           -N - sort the report by dbspace name.
           -R - Reverse sort order.
           -V - print copyright notice and exit.
           -K - Display sizes in KB (default).
           -M - Display sizes in MB.
           -G - Display sizes in GB.
           -h - print usage and exit.

           By default the report is ordered by free space in KB/MB/GB.

    Art S. Kagel, President and Principal Consultant
    ASK Database Management Corp.

  • 4.  RE: onstat -d for non-privileged users

    Posted Tue September 19, 2023 09:06 AM
    Andreas and Art, don't you guys ever sleep?

    Art:  Like you, I also like to advertise my utilities. <smile>  And your dbsavail looks quite useful.

    But Andreas hit on the answer I needed:  Rather than enabling UNSECURE_ONSTAT, I recalled the real reason it had worked for me in 11.5: User jake was a member of group informix in /etc/groups.  I added myself to group informix and I can now run the onststat -d without a problem.  Minor caveat: I had to reboot in order for that to take effect.  (HMM... Maybe I had only needed to log out/in?  Not chasing that now.)

    I will have to include that group issue in my documentation.

    Thinking back, there were still some onstat options I was unable to run, though I don't recall what those were. This, although I was a member of group informix.  But I do recall that allowing a non-informix user to run those options would have been a security breach.  Hence, I was reluctant to enable UNSECURE_ONSTAT; I still believe in running from the lowest workable privilege.

    Thanks much, gentlemen.

    +----- Jacob Salomon --------------------------------------------------+
    | The first lesson of economics is scarcity: there is never enough of  |
    | anything to fully satisfy all those who want it. The first lesson of |
    | politics is to disregard the first lesson of economics.              |
    +--------------- Thomas Sowell (Is Reality Optional?::Student Loans) --+

  • 5.  RE: onstat -d for non-privileged users

    Posted Thu September 21, 2023 09:54 PM

    > I added myself to group informix and I can now run the onststat -d
    > without a problem. Minor caveat: I had to reboot in order for that
    > to take effect.

    FYI, a reboot should not have been necessary to pick up the new group
    membership.  Just logout and back in and the new group will be in
    effect.  Use groups(1) or id(1) to verify the new membership.